CVE-2023-31999

HIGH
Published Jul 4, 20232y ago · Modified Jun 17, 20261w ago
8.8 CVSS 3.1
High
Find Similar
Published Jul 4, 2023 2y ago
Last Modified Jun 17, 2026 1w ago

Description

All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to the user's session in some way that will allow the server to validate it. v7.2.0 changes the default behavior to store the state in a cookie with the http-only and same-site=lax attributes set. The state is now by default generated for every user. Note that this contains a breaking change in the checkStateFunction function, which now accepts the full Request object.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-352 Cross-Site Request Forgery (CSRF) Authentication

Affected Products 1

VendorProductVersionRange
fastifyoauth2* <7.2.0

References 3

  • auth0.com https://auth0.com/docs/secure/attack-protection/state-parameters
    Exploit
  • github.com https://github.com/fastify/fastify-oauth2/releases/tag/v7.2.0
    Release Notes
  • hackerone.com https://hackerone.com/reports/2020418
    Permissions Required

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.